This document provides general configuration and deployment guidelines for the Cisco Aironet Access Point Module for Wireless Security and Spectrum Intelligence (WSSI). The WSSI is an add-on module that can be inserted into modular access points (APs) such as the Cisco 3600 series AP.

The Cisco Wireless Security and Spectrum Intelligence module, taking advantage of the flexible modular design of the Cisco Aironet 3600 Series AP, delivers unprecedented, always-on security scanning and spectrum intelligence. This helps you avoid radio frequency (RF) interference so that you get better coverage and performance on your wireless network.

The WSSI field-upgradeable module is a dedicated radio that off-loads all monitoring and security services from the client/data serving radios to the security monitor module. This not only allows for better client performance, but also reduces costs by eliminating the need for dedicated Monitor Mode APs and the Ethernet infrastructure required to connect those devices into their network.

Together, the 3600 Series APs and WSSI module enable you to concurrently provide state-of-the-art security and spectrum analysis functions for Wi-Fi clients on all channels, in both the 2.4-GHz and 5-GHz bands.

Once deployed, the module is constantly scanning all channels to help ensure the most secure and robust wireless experience available in the industry.

Reduces network costs and operations. By integrating the WSSI module into the 3600 series, you can replace up to three separate devices. This provides three separate functions into a single, multi-purpose 3600 Series AP.

Customers can now leverage a single Ethernet connection (cable and port) into their wired network, in place of what would typically require up to three separate Ethernet cables and an access port into their wired network. This significantly reduces their CAPEX.

By integrating all these features to a single AP, customers simplify the day-to-day management and monitoring of their wireless infrastructure and network with a greatly reduced number of APs. The WSSI module appears to the WLC and management systems as an additional radio supporting 802.11b/g/a/n client devices (2.4 and 5 GHz) within the specific 3600 Series AP.

Zero Touch Configuration, Install, Power-up and Go. There is absolutely no configuration required to enable the WSSI Module to be up and running, and immediately monitoring and securing your wireless network. The WSSI module is inserted and secured to any 3600 Series AP. When the AP is powered back up the module is initialized along with the other radios in the AP and immediately begins monitoring all channels on both 2.4 and 5 GHz for any potential security threats and sources of interference.

Adaptive wIPS provides accurate and efficient threat detection on all channels from over-the-air attacks, rogue APs, and ad hoc connections, as well as the ability to classify, notify, mitigate and report for constant monitoring and proactive management. Works in conjunction with the Cisco Mobility Services Engine (MSE).

ELM:

Adds wIPS security scanning for 7x24 on channel scanning (2.4GHz and 5 GHz), with best effort off channel support.

The AP is additionally serving clients and with the G2 Series of APs, enables CleanAir spectrum analysis on channels (2.4GHz and 5GHz).

Monitor Mode:

The Monitor Mode AP (MMAP) is dedicated to operate in Monitor Mode and has the option to add wIPS security scanning of all channels (2.4GHz and 5GHz).

The G2 Series of APs enables CleanAir spectrum analysis on all channels (2.4GHz and 5GHz).

MMAPs do not serve clients.

AP3600 with WSSI Module: The Evolution of Wireless Security and Spectrum

Dedicated 2.4GHz and 5GHz radio with its own antennas that enables 7x24 scanning of all wireless channels in the 2.4GHz and 5GHz bands.

A single Ethernet infrastructure provides simplified operation with fewer devices to manage and optimized return on investment of the AP3600 wireless infrastructure and the Ethernet wired infrastructure.

Cisco CleanAir Technology: provides proactive, high-speed spectrum intelligence to combat performance problems due to wireless interference. The industry’s first state-of-the-art RF analysis technology that inspects and classifies the energy patterns (signatures) of devices that can significantly impact the quality of a wireless network.

Radio Resource Management (RRM): simplified, advanced RF management, automatically adapts to the wireless network environment based on the information received from Cisco CleanAir Technology. Once interferers are identified, RRM is able to move client devices to channels away from the interference and adjust the transit power to move away from the source of interference. This provides better RF quality to the user.

With these features, the Cisco Wireless Security and Spectrum Intelligence module, along with the Cisco 3600 series AP, provides the most secure and robust enterprise class wireless network possible for your corporate users and data.

A local mode AP scans for CleanAir interferers and wIPs attackers on-channel. This means the AP only scans the channel that it is serving. A local mode AP with a 2.4GHz radio serving channel 1 and 5GHz radio serving channel 64, only provides protection on channels 1 and 64.

A MMAP scans for CleanAir interferers and wIPs attackers off-channel. This means the AP scans all channels. The 2.4GHz radio scans all 2.4GHz channels and the 5GHz channel scans all 5GHz channels.

A Cisco 3600 series AP uses a combination of on-channel and off-channel. The 2.4GHz and 5GHz radios scan on-channel and the WSSI module scans off-channel, cycling between all 2.4GHz and 5GHz channels.

In traditional Monitor AP deployment, Cisco recommends a ratio of 1 MMAP to every 5 local mode APs. This can vary based on network design and expert guidance for best coverage. With the WSSI module, there are different deployment recommendations based on functionality to achieve coverage parity with a MMAP.

For CleanAir, it is recommended to deploy 1 WSSI module for every 5 local or Flexconnect APs. This 1:5 deployment offers the same performance as a CleanAir enabled MMAP, but still allows the AP to serve clients. This is a recommended deployment for a WSSI module performing CleanAir:

For wIPS protection, it is recommended to deploy 2 WSSI modules for every 5 local or FlexConnect APs. The wIPS detection time for an off-channel attack is about two times that of a MMAP. Therefore, a 2:5 deployment is required to provide wIPS detection parity. This is the recommended deployment for a WSSI module performing wIPS protection:

The Cisco 3600 AP with a WSSI module utilizes both on-channel and off-channel scanning to provide an industry leading solution while serving clients.

The WSSI module detects CleanAir interferers with the same precision as a MMAP. Cisco recommends that the WSSI module be deployed with a density of 1:5, where there must be 1 WSSI module for every 5 APs. This is the same recommended density as for a MMAP.

When the WSSI module is enabled with no sub-mode, the module scans both the 2.4GHz band and 5GHz band. The module dwells on each channel for 1.2secs and scans for CleanAir interferers.

CleanAir can be enabled on 2.4GHz only, 5GHz only, and both 2.4GHz and 5GHz. This is selectable from either the WLC CLI or GUI. Here is an example of configuring CleanAir on the WLC CLI:

The same configuration can be applied on the GUI via Wireless > Dual-Band Radios > Configure. Here is an example:

The CleanAir interferers are reported at the WLC GUI. Interferers are displayed PER BAND. This means interferers detected on the WSSI module on the 5GHz band are displayed under Monitor > 802.11a/n > Interference Devices.

In order to verify that the CleanAir interferer was detected by the WSSI module, issue the show cleanair interferers from the AP console:

The WSSI module detects wIPS attackers with nearly the same precision as a MMAP. For wIPS, Cisco recommends deploying the WSSI module with a 2:5 ratio among APs. This means for every 5 APs, two of the APs must contain the WSSI module.

There are two wIPS modes that can be configured:

wIPS submode - Enables wIPS attack detection and scans all channels for 1.2s. This mode allows the AP to still capture all RRM reports in addition to wIPS detections.

From the Prime Infrastructure (PI) page, go to Configure > Acesss Points > AP_NAME. The WSSI module can be configured to either wIPS submode or wIPS submode + Enhanced wIPS Engine Support. This can also be pushed as part of an AP configuration template.

The wIPS attacks are displayed at the Prime Infrastructure from the Home > Security tab.

The PI displays a network-level view, but you can display the attack on an AP3600 with a WSSI module by issuing the show capwap am alarm ALARM_NUM command from the AP console.

For example, alarm 52 is a Denial of Service, authentication flood. In order to see if that attack was detected on the WSSI module, issue the show capwap am alarm 52 command:

The WSSI module detects rogue APs with the same precision as a MMAP. A list of rogue APs is displayed in both the WLC and PI.

This is the list of Unclassified Rogue APs from the WLC GUI. Rogue APs can be viewed in the WLC GUI under Monitor > Rogues.

You can verify that the WSSI module using the AP console detected a Rogue AP. From the console, enter the show capwap rm rogue ap d2 all command. This displays all Rogue APs seen at the WSSI Module Radio.

The WSSI module is a 0x4 module (receive antennas only), meaning that rogue containment will be performed on the 2.4GHz or 5GHz radio. In order to configure the WSSI to automatically contain rogue APs, you must ensure that in the WLC GUI under Security > Wireless Protection Policies > Rogue Policies > General that Auto Containment only for Monitor mode APs is not enabled (see the next screenshot). All other check-boxes can be enabled.